From 5e28d4aa823560545e6b49d58e55aecb572f6bd9 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Tue, 7 Feb 2023 10:53:18 +0100

Subject: [PATCH 4/5] Change custom zones check in firewalld_sshd_port_enabled

Patch-name: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch

Patch-status: Change custom zones check in firewalld_sshd_port_enabled

---

 .../oval/shared.xml                           | 68 +++++++++++++++----

 1 file changed, 54 insertions(+), 14 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml

index 4adef2e53f..d7c96665b4 100644

--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml

+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml

@@ -133,9 +133,10 @@

          OVAL resources in order to detect and assess only active zone, which are zones with at

          least one NIC assigned to it. Since it was possible to easily have the list of active

          zones, it was cumbersome to use that list in other OVAL objects without introduce a high

-         level of complexity to make sure environments with multiple NICs and multiple zones are

-         in use. So, in favor of simplicity and readbility it was decided to work with a static

-         list. It means that, in the future, it is possible this list needs to be updated. -->

+         level of complexity to ensure proper assessment in environments where multiple NICs and

+         multiple zones are in use. So, in favor of simplicity and readbility it was decided to

+         work with a static list. It means that, in the future, it is possible this list needs to

+         be updated. -->

         datatype="string"

         comment="Regex containing the list of zones files delivered in the firewalld package">

@@ -145,23 +146,62 @@

          in the /etc/firewalld/zones dir in order to override the default zone settings. The same

          directory is applicable for new zones created by the administrator. Therefore, all files

-         in this directory should also allow SSH. -->

-    

+         in this directory should also allow SSH.

+         This test was updated in a reaction to https://github.com/OpenSCAP/openscap/issues/1923,

+         which changed the behaviour of xmlfilecontent probe in OpenSCAP 1.3.7. Currently, a

+         variable test is the simplest way to check if all custom zones are allowing ssh, but have

+         an impact in transparency since the objects are not shown in reports. The transparency

+         impact can be workarounded by using other OVAL objects, but this would impact in

+         readability and would increase complexity. This solution is in favor of simplicity. -->

+    

         check="all" check_existence="at_least_one_exists" version="1"

         comment="SSH service is defined in all zones created or modified by the administrator">

-      <ind:object object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>

-      <ind:state state_ref="state_firewalld_sshd_port_enabled_zone_files_etc"/>

-    </ind:xmlfilecontent_test>

+        

+            object_ref="object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"/>

+        <ind:state state_ref="state_firewalld_sshd_port_enabled_custom_zone_files_count"/>

+    </ind:variable_test>

+

+    

+        version="1">

+      <ind:var_ref>var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count</ind:var_ref>

+    </ind:variable_object>

+

+    

+        datatype="int" version="1"

+        comment="Variable including number of custom zone files allowing ssh">

+        <count>

+            

+                object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>

+        </count>

+    </local_variable>

     <ind:xmlfilecontent_object id="object_firewalld_sshd_port_enabled_zone_files_etc" version="1">

-      <ind:path>/etc/firewalld/zones</ind:path>

-      <ind:filename operation="pattern match">^.*\.xml$</ind:filename>

-      <ind:xpath>/zone/service[@name='ssh']</ind:xpath>

+        <ind:path>/etc/firewalld/zones</ind:path>

+        <ind:filename operation="pattern match">^.*\.xml$</ind:filename>

+        <ind:xpath>/zone/service[@name='ssh']</ind:xpath>

     </ind:xmlfilecontent_object>

-    <ind:xmlfilecontent_state id="state_firewalld_sshd_port_enabled_zone_files_etc" version="1">

-      <ind:xpath>/zone/service[@name='ssh']</ind:xpath>

-    </ind:xmlfilecontent_state>

+    

+        version="1">

+        

+            var_ref="var_firewalld_sshd_port_enabled_custom_zone_files_count"/>

+    </ind:variable_state>

+

+    

+        datatype="int" version="1"

+        comment="Variable including number of custom zone files present in /etc/firewalld/zones">

+        <count>

+            

+                object_ref="object_firewalld_sshd_port_enabled_custom_zone_files"/>

+        </count>

+    </local_variable>

+

+    <unix:file_object id="object_firewalld_sshd_port_enabled_custom_zone_files" version="1">

+        

+            recurse_file_system="local"/>

+        <unix:path>/etc/firewalld/zones</unix:path>

+        <unix:filename operation="pattern match">^.*\.xml$</unix:filename>

+    </unix:file_object>

-- 

2.39.1